Azure subscription rights challenge in CSP

Let’s imagine a situation when you are a CSP Partner and you provide Azure services to your customer. Customer purchases Office 365 licenses from another reseller (e.g. under Enterprise Agreement), and that reseller is a managing partner (delegated admin) for customer’s tenant. Customer wants you to manage Azure services only, and don’t manage Office 365.

You’ve assigned a reseller relationship with customer’s tenant, so you can assign cloud service subscriptions. But customer don’t want to let you manage Office 365 services or view user accounts in Azure AD, so he removes you from Managing Partners list. So one partner (or customer itself) has access to manage Office 365 and Azure AD, and CSP partner manages Azure subscription. Real life situation, right?

By default, you will face some issues in that case:

You (and only you) own Azure subscription in CSP as a partner. You can manage anything inside Azure CSP subscription and customer can’t revoke those rights.

Customer don’t have any access to Azure CSP subscription by default, even with Global Admin rights in the tenant.

If you’ll try to assign any rights to the customer inside that Azure subscription, you won’t be able to do that in a usual way, because you don’t see any users in customer’s directory. You won’t be able to do that on Azure Portal neither through PowerShell in a direct way.

But I’ve found a workaround trick. You can ask your customer to provide a GUID of a user inside Customer’s tenant and assign rights directly to that GUID. After that customer will be able to manage user rights himself.

December was another month of significant development for Microsoft Threat Protection capabilities. As a quick recap, Microsoft Threat Protection is an integrated solution securing the modern workplace across…